If you've been blocked as an open proxy, please see: Help:blocked.
The multiwiki MetaProject on open proxies seeks to identify, verify and block open proxies and anonymity network exit nodes. To prevent abuse or vandalism, only proxy checks by verified users will be accepted. All users are welcome to discuss on the talk page, report possible proxies, or request that a blocked IP be rechecked. |
Automated lists and tools
- User:AntiCompositeBot/ASNBlock maintained by User:AntiCompositeBot is a list of hosting provider ranges that need assessment for blocks that is updated daily. Admins are encouraged to review the list and assess for blocks as needed. All administrators are individually responsible for any blocks they make based on that list.
- ISP Rangefinder is a tool that allows administrators to easily identify and hard block all ranges for an entire ISP. It should be used with extreme caution, but is useful for blocking known open proxy providers. All administrators are individually responsible for any blocks they make based on the results from this tool.
- IPCheck is a tool that can help provide clues about potential open proxies.
Reporting
Please report IP addresses you suspect are open proxies below. A project member will scan or attempt to connect to the proxy, and if confirmed will block the address.
File a new report here | ||
I. | For block requests:
Verify that the following criterion has been met:
For unblock requests:
Verify that the following criteria has been met:
| |
II. | For block requests
Replace "IP" below with the IP address you are reporting. For unblock requests
Replace "IP" below with the IP address you are reporting. | |
III. | Fill out the resulting page and fill-in the requested information. | |
IV. | Save the page. |
Verified Users/Sysops Templates
|
---|
|
Requests
185.125.227.0/24
– A proxy checker has requested a second opinion on this case.
Whole range in McAffee (not colo). Most IPs are used for the McAffee VPN service. spur flags, and it can also verified by SSL certs on ports 443 and 8081 (check shodan). MarioGom (talk) 17:59, 13 March 2021 (UTC)
- 185.221.69.46 · talk · contribs · block · log · stalk · Robtex · ipcheck · Google · HTTP · geo · whois · rangeblocks · spur · shodan
- Looks more like "corporate gateway" than "open proxy/VPN" to me, I'd like a 2O on how to handle this from a more experienced proxy-blocker. GeneralNotability (talk) 01:27, 15 March 2021 (UTC)
- For those looking into it, here's their VPN products: McAfee Web Gateway Cloud Service (nominally the reported range) and McAfee Safe Connect VPN. The later seems to be for end users, but I don't know if they share endpoints. --MarioGom (talk) 08:48, 15 March 2021 (UTC)
- I can confirm now that McAffee Safe Connect VPN (end-user offering) is identified as TunnelBear (see other reports), while the range reported here is exclusively about Web Gateway Cloud Service (corporate VPN). --MarioGom (talk) 22:36, 17 March 2021 (UTC)
- @MarioGom and GeneralNotability: Not an experienced (proxy-)blocker by any stretch of the imagination, but just a thought since this has been open for a while: Do we know if the gateway service sends XFF headers? In that case, I'd say soft blocks are probably the way to go – otherwise, I think both soft and hard should be fine given that it is functioning as an anonymiser, even if not intentionally. --Blablubbs|talk 09:46, 10 May 2021 (UTC)
ProtonVPN (II)
– A proxy checker has requested administrator assistance for action regarding the case below. The requested action is below.
Unblocked ProtonVPN nodes. MarioGom (talk) 18:11, 6 May 2021 (UTC)
In progress, looking for blockable ranges. --Blablubbs|talk 16:00, 7 May 2021 (UTC)
- This is a bit of a rabbit hole, bear with me. The IPs above are
Confirmed and there's a bunch of different webhosts involved.
- The first lot is in webhost. There's a lot more in the ASN, but I'm hesitant to action it without reading up some more, as a previous CU-block on a dora range indicates that there are also legitimate residential ranges here. , which is Doratelekom, a Turkish
- The second group is on a range that has normal residential IPs on it, so the following will have to be blocked individually:
- The 162. group is this DS provider and covered by . Looking at the ASN here turned up some other ranges that are good to block:
- This is a bit of a rabbit hole, bear with me. The IPs above are
Extended content
|
---|
|
- The 185. ones are in , which belongs to ICME, a webhost that also offers colocation (given the VPN IPs, this one should probably be hardblocked, or soft with individual blocks on the VPN IPs). Other ranges belonging to that provider are:
Extended content
|
---|
|
- The 194. group is also serverion and covered by
Awaiting administrative action, please Hardblock the IPs I linked here for 2 years each. I'll leave it up to you whether you want to soft- or hardblock the ones where I noted colocation (or just leave the additional ranges alone entirely). --Blablubbs|talk 16:44, 7 May 2021 (UTC)
- The 194. group is also serverion and covered by
NordVPN
A user has requested a proxy check. A proxy checker will shortly look into the case.
New unblocked NordVPN addresses. Some possible UPE activity there too. MarioGom (talk) 21:34, 10 May 2021 (UTC)
119.8.115.183
– A proxy checker has requested administrator assistance for action regarding the case below. The requested action is below.
- 119.8.115.183 · talk · contribs · block · log · stalk · Robtex · ipcheck · Google · HTTP · geo · whois · rangeblocks · spur · shodan
Reason: Appears to be a sock behind a VPS/VPN. No edit history until today; edit summary shows extensive knowledge of WP. Normchou 💬 18:31, 12 May 2021 (UTC)
- The IP is a web server hosted at Huawei Cloud. Possibly a VPN node. And on top of that Spur flags it as a residential proxy. 119.8.96.0/19 should be good to block. Someone may want to block all other ranges from ISP: HUAWEI CLOUDS. MarioGom (talk) 19:23, 12 May 2021 (UTC)
- While Huawei Cloud doesn't appear to offer colocation, this specific IP doesn't really look like a conventional anonymiser to me. Given the region, I think it's likely that Huawei ranges are going to have a good number of corporate gateways on them, used by Chinese companies who need access to a less filtered internet for business purposes; I'm not comfortable hardblocking the lot. However, softblocks seem warranted. The ranges are a little unwieldy here, but I think the below should cover everything.
Awaiting administrative action – please block the following, soft, two years each:
- Thanks. --Blablubbs|talk 09:57, 13 May 2021 (UTC)
- While Huawei Cloud doesn't appear to offer colocation, this specific IP doesn't really look like a conventional anonymiser to me. Given the region, I think it's likely that Huawei ranges are going to have a good number of corporate gateways on them, used by Chinese companies who need access to a less filtered internet for business purposes; I'm not comfortable hardblocking the lot. However, softblocks seem warranted. The ranges are a little unwieldy here, but I think the below should cover everything.
PureVPN (II)
A user has requested a proxy check. A proxy checker will shortly look into the case.
|
|
|
|
|
|
|
|
|
|
|
Notes:
- 46.243.224.0/24 per whois data is wholly assigned to PureVPN-NET.
- 178.170.136.0/24 per whois data is wholly assigned to PureVPN-NET.
- 85.208.3.0/24 whois data may be misleading. This /24 has many PureVPN nodes and every IP has a srv-dN.inioscloud.com hostname. Website (http://inioscloud.com/ https://www.kotisivut.com/) and hostnames suggest that the whole /24 is a web host.
- 5.172.204.192/26 offers all kinds of server hosting and colocation services (https://www.lancom.gr/). If you check ISP Range Finder, be careful, since results are mixed with CityLanCom LTD. Many other ranges in the ISP are already blocked. So I guess either the /24 or /26 are good for a block.
- 178.21.169.0/24 is also Lancom LTD as the previous one. This /24 is clearly marked in whois as Cloud-Customers. So a webhost block should be good.
- 103.16.199.0/24 provides servers and connectivity (https://jalanet.co.id), I'm not really sure about this one. Maybe hard blocks for the individual IPs?
- 92.38.175.0/27 per whois data is wholly assigned to pointtoserver (PureVPN alias), but the /24 would also be good to block since we're already blocking most G-Core Labs S.A. ranges.
- 213.21.192.0/20 seems to be a ISP/backbone (Versia), not good to block. It might be better to hard block the individual IPs.
- 141.101.134.0/24 also on Versia but this whole /24 subrange is assigned to PureVPN-NET per whois.
- 103.28.90.0/24 and 103.28.91.0/24 is primarily hosting (https://www.gbnetwork.my/), other ranges already blocked for hosting VPNs.
- 79.142.64.0/22 is already under a soft block. Please do hard block the individual IPs.
- 141.101.146.0/24 per whois data is wholly assigned to PureVPN-NET.
- 185.125.170.0/24 whois data is a bit weird. 185.125.170.40/29 and 185.125.170.160/28 are assigned to GZSYSTEMS (PureVPN alias) while 185.125.170.24 to 185.125.170.30 are outside those subranges and are PureVPN too. I guess the /24 is good for a hard block.
- 94.242.48.0/20 is a FishNet ASN, Veesp datacenter subrange.
- 46.243.220.0/24 per whois data is wholly assigned to PureVPN-NET.
- 206.123.128.0/19 per whois email is assigned to pointtoserver (PureVPN alias).
- 149.7.226.0/24 second opinion needed.
- 116.206.126.0/24 cloud service per whois. Didn't look in depth.
- 128.1.63.0/24 per whois data is subrange is Zenlayer Managed Hosting.
Unblocked PureVPN nodes that I missed in the initial report. MarioGom (talk) 11:40, 15 May 2021 (UTC)
See also
- Subpages
- Related pages
- Policy on open proxies
- Open proxy detection
- Guide to checking open proxies
- Proxy check result templates
- Advice to users using Tor to bypass the Great Firewall
- meta:XFF project
- Sister projects